Learn about Centmin Mod LEMP Stack today
Register Now

Wordpress Wordpress jQuery1.12.4 Vulnerability

Discussion in 'Blogs & CMS usage' started by EckyBrazzz, May 8, 2019.

  1. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    Running Lighthouse learned me that the current jQuery1.12.4 in WordPress 5.2 that is release today has 2 medium Vulnerabilities.

    There is an easy fix for that as the jQuery3.4.1 Released on 01 May 2019 will not break any themes or plugins as described in https://jquery.com/upgrade-guide/3.0/#core and the latest release version does not have any known vulnerabilities Snyk - [email protected] vulnerabilities

    To update to the latest release you can use https://wordpress.org/support/plugin/jquery-updater/

    After updating the jQuery and testing functionalities of WP I did not notice any errors with plugins/themes.

    Running Lighthouse indicated that the jQuery issue was resolved.
     
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah that is potential problem for many web apps using jquery of varying versions. Though it doesn't mean the jquery version is vulnerable for that web app. It only means jquery itself is vulnerability as web app would only be vulnerable if the web app was coded to use the jquery vulnerable function/features. If the web app wasn't using the jquery vulnerable function/features and/or deploying the recommended mitigations, then the web app wouldn't be vulnerable. Hence, why Wordpress 5.2 is still using the older jquery versions.

    For jquery 1.12.4 Snyk - [email protected] vulnerabilities would be features/functions for
    Though no idea if Wordpress uses those - no web developer heh

    But thanks for heads up and providing a possible workaround. Though from jQuery Updater
    Update: I posted my potential solution via forked wp-jquery-manager wordpress plugin outlined here.
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    The new version is jQuery 3
     
    • Informative Informative x 1
    style="display:inline-block;min-width:400px;max-width:970px;width:95%;height:90px" data-ad-client="ca-pub-6669518204467592" data-ad-slot="4024536743" data-ad-format="auto">
  4. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ah yes

    noticed both those vulnerabilities have mitigations to prevent exploit so not sure if wordpress is using them
    But then Wordpress isn't only one using jquery, wp plugins are too.
     
  5. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Quick google search for post made 8 months ago Google Lighthouse sees jquery 1.12.4 as vulnerable | WordPress.org
    and #37110 (Update to jQuery 3.*) – WordPress Trac for Wordpress devs work on jquery 3 support
    and #37110 (Update to jQuery 3.*) – WordPress Trac
    from that ticket discussion linked to another tool at Remzi1993/wp-jquery-manager
     
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    this post suggests security updates were backported into wordpress jquery 1.12.4 Why wordpress only use old jQuery version is 1.12.4? | WordPress.org
    or they're add it to Wordpress dev branch

    but #37110 (Update to jQuery 3.*) – WordPress Trac
    comment on your jquery updater plugin you mentioned #37110 (Update to jQuery 3.*) – WordPress Trac
    testing their dev builds i think has jquery 3
    and https://wordpress.stackexchange.com/a/244543/6702
     
    • Informative Informative x 1
  7. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    The default is already 1.12. See the first line in my first post. Anybody working with a theme or plugin that uses 1.12 is a kind of outdated, may things have changed since the release of 3.4.x

    Thanks for sharing the link, watching it for new releases, and use this plugin to resolve this, you love really dive deep into it! Using this one now instead of [jQuery Updater] Support | WordPress.org Thanks for commenting it!BTW, GitHub is a great place to live!
     
    Last edited: May 8, 2019
  8. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yeah i believe that link/post was older hence 1.12 was latest at the time
    you referring to Remzi1993/wp-jquery-manager right ?
     
  9. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Nice I am going to test and evaluate Remzi1993/wp-jquery-manager suitable as well for centmin.sh menu option 22 wordpress auto installer - as a optional wp plugin to be installable of course (not default installed).
     
  11. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    more on jquery 1.12.4 specifically Is there a way to exploit jquery 1.12.4 vulnerability?
    and for jQuery re: $.ajaxSetup mitigation Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses · Issue #2432 · jquery/jquery and last comment Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses · Issue #2432 · jquery/jquery
    And how Magento users used this ajaxPrefilter method https://www.cadence-labs.com/2018/0...how-to-patch-without-upgrading-cve-2015-9251/
     
  12. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    Final thoughts about these plugins.
    The plugin on GitHub is not up to date, it uses an older jQuery 3.0.1 than the plugin that's on wordpress.org.
    Already posted on GitHub to keep it up to date. Update to latest release of jQuery · Issue #7 · Remzi1993/wp-jquery-manager

    Also, it's on GitHub, so the CLI-WP won't work,

    Noticed that the plugin on Wordpress.org was released only 3 days after jQuery got updated to version jQuery-4.3.1

    jQuery.png

    PHP:
    function rw_jquery_updater()
    {

        
    // jQuery
        // Deregister core jQuery
        
    wp_deregister_script('jquery');
        
    // Register
        
    wp_enqueue_script('jquery'plugins_url('/js/jquery-3.4.1.min.js'__FILE__), false'3.4.1');

        
    // jQuery Migrate
        // Deregister core jQuery Migrate
        
    wp_deregister_script('jquery-migrate');
        
    // Register
        
    wp_enqueue_script('jquery-migrate'plugins_url('/js/jquery-migrate-3.0.0.min.js'__FILE__), array(
            
    'jquery'
        
    ), '3.0.0'); // require jquery, as loaded above
    }
    So, I made my decision and will chose for the jQuery Updater instaed of the GitHub version.
     
    • Informative Informative x 1
  13. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Actually it uses jquery 3.3.1 + jquery-migrate 3.0.1. I forked the wp-jquery-manager and made a centminmod branch with updated jquery 3.4.1 which I am going to test centminmod/wp-jquery-manager I believe I made the right commit changes for it Update wp-jquery-manager.php with jquery 3.4.1 · centminmod/[email protected]. Using Sourcegraph to fully search the forked branch at https://sourcegraph.com/github.com/centminmod/[email protected]
     
  14. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    FYI, on my forked wp-jquery-manager, also added precompressed gzip and brotli versions of jquery files for Centmin Mod Nginx since gzip_static directive is enabled so can serve precompressed versions of jquery file centminmod/wp-jquery-manager :)

    Code (Text):
    ls -lah
    total 2.4M
    drwxr-xr-x 2 root root 4.0K May  9 01:38 .
    drwxr-xr-x 5 root root 4.0K May  9 01:35 ..
    -rw-r--r-- 1 root root 287K May  9 01:35 jquery-1.12.4.js
    -rw-r--r-- 1 root root  71K May  9 01:35 jquery-1.12.4.js.br
    -rw-r--r-- 1 root root  82K May  9 01:35 jquery-1.12.4.js.gz
    -rw-r--r-- 1 root root  95K May  9 01:35 jquery-1.12.4.min.js
    -rw-r--r-- 1 root root  30K May  9 01:35 jquery-1.12.4.min.js.br
    -rw-r--r-- 1 root root  32K May  9 01:35 jquery-1.12.4.min.js.gz
    -rw-r--r-- 1 root root 252K May  9 01:35 jquery-2.2.4.js
    -rw-r--r-- 1 root root  63K May  9 01:35 jquery-2.2.4.js.br
    -rw-r--r-- 1 root root  71K May  9 01:35 jquery-2.2.4.js.gz
    -rw-r--r-- 1 root root  84K May  9 01:35 jquery-2.2.4.min.js
    -rw-r--r-- 1 root root  27K May  9 01:35 jquery-2.2.4.min.js.br
    -rw-r--r-- 1 root root  29K May  9 01:35 jquery-2.2.4.min.js.gz
    -rw-r--r-- 1 root root 266K May  9 01:35 jquery-3.3.1.js
    -rw-r--r-- 1 root root  66K May  9 01:35 jquery-3.3.1.js.br
    -rw-r--r-- 1 root root  75K May  9 01:35 jquery-3.3.1.js.gz
    -rw-r--r-- 1 root root  85K May  9 01:35 jquery-3.3.1.min.js
    -rw-r--r-- 1 root root  27K May  9 01:35 jquery-3.3.1.min.js.br
    -rw-r--r-- 1 root root  29K May  9 01:35 jquery-3.3.1.min.js.gz
    -rw-r--r-- 1 root root 274K May  9 01:35 jquery-3.4.1.js
    -rw-r--r-- 1 root root  68K May  9 01:35 jquery-3.4.1.js.br
    -rw-r--r-- 1 root root  78K May  9 01:35 jquery-3.4.1.js.gz
    -rw-r--r-- 1 root root  87K May  9 01:35 jquery-3.4.1.min.js
    -rw-r--r-- 1 root root  28K May  9 01:35 jquery-3.4.1.min.js.br
    -rw-r--r-- 1 root root  29K May  9 01:35 jquery-3.4.1.min.js.gz
    -rw-r--r-- 1 root root  23K May  9 01:35 jquery-migrate-1.4.1.js
    -rw-r--r-- 1 root root 6.6K May  9 01:35 jquery-migrate-1.4.1.js.br
    -rw-r--r-- 1 root root 7.4K May  9 01:35 jquery-migrate-1.4.1.js.gz
    -rw-r--r-- 1 root root 9.9K May  9 01:35 jquery-migrate-1.4.1.min.js
    -rw-r--r-- 1 root root 3.5K May  9 01:35 jquery-migrate-1.4.1.min.js.br
    -rw-r--r-- 1 root root 3.9K May  9 01:35 jquery-migrate-1.4.1.min.js.gz
    -rw-r--r-- 1 root root  18K May  9 01:35 jquery-migrate-3.0.1.js
    -rw-r--r-- 1 root root 4.9K May  9 01:35 jquery-migrate-3.0.1.js.br
    -rw-r--r-- 1 root root 5.5K May  9 01:35 jquery-migrate-3.0.1.js.gz
    -rw-r--r-- 1 root root  12K May  9 01:35 jquery-migrate-3.0.1.min.js
    -rw-r--r-- 1 root root 3.0K May  9 01:35 jquery-migrate-3.0.1.min.js.br
    -rw-r--r-- 1 root root 3.4K May  9 01:35 jquery-migrate-3.0.1.min.js.gz
    
     
  15. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    Saw it when inspecting the code. My mistake.

    Updates, I was affraid to miss them, but noticed the integration of YahnisElsts/plugin-update-checker, so I guess I'm safe with that because the WP-CLI is not an option for a theme that I use. Pleases correct me if I'm wrong.

    From centminmod/wp-jquery-manager
    So, just activated it again, and waiting for your pull request! At least if I understood everyhthing correct, please let me know! GitHub keeps amazing me.:)
     
  16. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  17. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  18. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    also wp-jquery-manger dev talking about his plugin and jquery-updater wp plugin at #45130 (Defer jQuery WordPress Admin & Customizer doesn't work properly) – WordPress Trac
    So looks like my forked version of wp-jquery-manager is better suited that jquery-update wp plugin centminmod/wp-jquery-manager
     
    • Like Like x 1
  19. EckyBrazzz

    EckyBrazzz Active Member

    459
    90
    28
    Mar 28, 2018
    Brazil
    Ratings:
    +170
    Local Time:
    3:50 PM
    1.17.x
    10.3.x
    Hmm, gave me a fatal error now.
    Code:
    Warning: require(/home/nginx/domains/domain.com/public/wp-content/plugins/wp-jquery-manager-centminmod/inc/plugin-update-checker/plugin-update-checker.php): failed to open stream: No such file or directory in /home/nginx/domains/domain.com/public/wp-content/plugins/wp-jquery-manager-centminmod/wp-jquery-manager.php on line 55
    
    Warning: require(/home/nginx/domains/domain.com/public/wp-content/plugins/wp-jquery-manager-centminmod/inc/plugin-update-checker/plugin-update-checker.php): failed to open stream: No such file or directory in /home/nginx/domains/domain.com/public/wp-content/plugins/wp-jquery-manager-centminmod/wp-jquery-manager.php on line 55
    
    Fatal error: require(): Failed opening required '/home/nginx/domains/domain.com/public/wp-content/plugins/wp-jquery-manager-centminmod/inc/plugin-update-checker/plugin-update-checker.php' (include_path='.:/usr/local/lib/php') in /home/nginx/domains/domain.com/public/wp-content/plugins/wp-jquery-manager-centminmod/wp-jquery-manager.php on line 55
     
  20. eva2000

    eva2000 Administrator Staff Member

    40,620
    9,015
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,881
    Local Time:
    4:50 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Updated my forked wp-jquery-manager jquery files with patched versions from DanielRuf/snyk-js-jquery-174006 for CVE-2019-11358 - prototype pollution vulnerability fixes in jquery 1.12.4, 2.2.4 and 3.3.1 as well :)

    Code (Text):
    cd assets/js
    
    patch < /svr-setup/snyk-js-jquery-174006/jquery-1.12.4.min.patch   
    patching file jquery-1.12.4.min.js
    
    patch < /svr-setup/snyk-js-jquery-174006/jquery-1.12.4.patch   
    patching file jquery-1.12.4.js
    Hunk #1 succeeded at 208 with fuzz 2.
    
    patch < /svr-setup/snyk-js-jquery-174006/jquery-2.2.4.min.patch 
    patching file jquery-2.2.4.min.js
    
    patch < /svr-setup/snyk-js-jquery-174006/jquery-2.2.4.patch   
    patching file jquery-2.2.4.js
    Hunk #1 succeeded at 208 with fuzz 2.
    
    patch < /svr-setup/snyk-js-jquery-174006/jquery-3.3.1.min.patch
    patching file jquery-3.3.1.min.js
    
    patch < /svr-setup/snyk-js-jquery-174006/jquery-3.3.1.patch   
    patching file jquery-3.3.1.js
    Hunk #1 succeeded at 260 with fuzz 2.